sojorn/_legacy/supabase/functions/delete-account/index.ts

/**
 * POST /delete-account - Request permanent account deletion (30-day waiting period)
 * POST /delete-account/cancel - Cancel a pending deletion request
 *
 * Design intent:
 * - Allows users to request permanent account deletion
 * - 30-day waiting period before actual deletion
 * - Users can cancel the request within 30 days
 * - After 30 days, account is permanently deleted by a scheduled job
 */

import { serve } from 'https://deno.land/std@0.177.0/http/server.ts';
import { createSupabaseClient } from '../_shared/supabase-client.ts';

const ALLOWED_ORIGIN = Deno.env.get('ALLOWED_ORIGIN') || 'https://sojorn.net';

serve(async (req) => {
  if (req.method === 'OPTIONS') {
    return new Response(null, {
      headers: {
        'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
        'Access-Control-Allow-Methods': 'POST',
        'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
      },
    });
  }

  try {
    const authHeader = req.headers.get('Authorization');
    if (!authHeader) {
      return new Response(JSON.stringify({ error: 'Missing authorization header' }), {
        status: 401,
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
        },
      });
    }

    const supabase = createSupabaseClient(authHeader);
    const {
      data: { user },
      error: authError,
    } = await supabase.auth.getUser();

    if (authError || !user) {
      return new Response(JSON.stringify({ error: 'Unauthorized' }), {
        status: 401,
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
        },
      });
    }

    if (req.method !== 'POST') {
      return new Response(JSON.stringify({ error: 'Method not allowed' }), {
        status: 405,
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
        },
      });
    }

    const url = new URL(req.url);
    const isCancel = url.pathname.endsWith('/cancel');

    if (isCancel) {
      // Cancel deletion request
      const { data, error } = await supabase
        .rpc('cancel_account_deletion', { p_user_id: user.id });

      if (error) {
        console.error('Error cancelling deletion:', error);
        return new Response(JSON.stringify({
          error: 'Failed to cancel deletion request',
          details: error.message
        }), {
          status: 500,
          headers: {
            'Content-Type': 'application/json',
            'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
          },
        });
      }

      if (!data || !data.success) {
        return new Response(JSON.stringify({
          error: data?.error || 'No pending deletion request found'
        }), {
          status: 400,
          headers: {
            'Content-Type': 'application/json',
            'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
          },
        });
      }

      return new Response(
        JSON.stringify({
          success: true,
          message: 'Account deletion request cancelled successfully',
        }),
        {
          status: 200,
          headers: {
            'Content-Type': 'application/json',
            'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
          },
        }
      );
    } else {
      // Request account deletion
      const { data, error } = await supabase
        .rpc('request_account_deletion', { p_user_id: user.id });

      if (error) {
        console.error('Error requesting deletion:', error);
        return new Response(JSON.stringify({
          error: 'Failed to request account deletion',
          details: error.message
        }), {
          status: 500,
          headers: {
            'Content-Type': 'application/json',
            'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
          },
        });
      }

      if (!data || !data.success) {
        return new Response(JSON.stringify({
          error: data?.error || 'Account deletion already requested'
        }), {
          status: 400,
          headers: {
            'Content-Type': 'application/json',
            'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
          },
        });
      }

      return new Response(
        JSON.stringify({
          success: true,
          message: 'Account deletion requested. Your account will be permanently deleted in 30 days. You can cancel this request anytime by logging in.',
          deletion_date: data.deletion_date,
          deletion_requested_at: data.deletion_requested_at,
        }),
        {
          status: 200,
          headers: {
            'Content-Type': 'application/json',
            'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
          },
        }
      );
    }
  } catch (error) {
    console.error('Unexpected error:', error);
    return new Response(JSON.stringify({ error: 'Internal server error' }), {
      status: 500,
      headers: {
        'Content-Type': 'application/json',
        'Access-Control-Allow-Origin': ALLOWED_ORIGIN,
      },
    });
  }
});